Privacy Badger Now Fights More Sneaky Google Tracking

With its latest update, Privacy Badger now fights “link tracking” in a number of Google products.

Link tracking allows a company to follow you whenever you click on a link to leave its website. Earlier this year, EFF rolled out a Privacy Badger update targeting Facebook’s use of this practice. As it turns out, Google performs the same style of tracking, both in web search and, more concerning, in spaces for private conversation like Hangouts and comments on Google Docs. From now on, Privacy Badger will protect you from Google’s use of link tracking in all of these domains.

Google Link Tracking in Search, Hangouts, and Docs

This update targets link tracking in three different products: Google web search, Hangouts, and the Docs suite (which includes Google Docs, Google Sheets, and Google Slides). In each place, Google uses a variation of the same technique to track the links you click on.

Google Web Search

After you perform a web search, Google presents you with a list of results. On quick inspection, the links in the search results seem normal: hovering over a link to EFF’s website shows that the URL underneath does, in fact, point to https://www.eff.org. But once you click on the link, the page will fire off a request to google.com, letting the company know where you’re coming from and where you’re going. This way, Google tracks not only what you search for, but which links you actually click on.

Google uses different techniques in different browsers to make this type of tracking possible.

In Chrome, its approach is fairly straightforward. The company uses the new HTML “ping” attribute, which is designed to perform exactly this kind of tracking. When you click on a link with a “ping” tag, your browser makes two requests: one to the website you want to go to, and another (in the background) to Google, containing the link you clicked and extra, encoded information about the context of the page.

A search result in Chrome (top) and its source code, including the tracking “ping” attribute (bottom).

In Firefox, things are more complicated. Hyperlinks there look normal at first. Hovering over them doesn’t change anything, and there’s no obvious “ping” attribute. But as soon as you click on a link, you’ll notice that the URL shown in the bottom left corner of the browser – the one you’re about to navigate to – has changed into a Google link.

Watch the URL in the lower left hand corner: before clicking, it looks normal, but after pressing the mouse button down, it’s swapped out for a Google link shim.

How did that happen? For each link, Google has set a piece of JavaScript code to execute, in the background, on “mousedown”—the instant your mouse button is pressed on the link (but before you release the click). This code replaces the normal URL with a link shim that redirects you through Google on the way to your destination. Since your browser doesn’t navigate away from the search page until you release the mouse button, the code has more than enough time to slide a tracking link right under your nose.

In the background, JavaScript changes the link the instant that you click on it.

Google Hangouts and the Google Docs Suite

In Hangouts and the Docs suite, the tracking is less sophisticated, but just as effective. Try sending a link to one of your friends in a Hangouts chat. Although the message might look like an innocuous URL, you can hover over the hyperlink to reveal that it’s actually a link shim in disguise. The same thing happens with links in comments on Google Docs, Google Sheets, and Google Slides. That means Google will track whether and when your friend, family member, or co-worker clicks on the link that you sent them.

These tracking links are easy to spot, if you know where to look. Simply hover over one and you’ll find that it’s not quite what you expect.

Hovering over the link in a Hangouts window (right) reveals that it actually points to a Google link shim (bottom).

These link shims may be more nefarious than their web search counterparts. When you use Google search, you’re engaging in a kind of dialog with the company. Many users understand, even if they don’t like it, that Google provides search results in exchange for ad impressions and collects a good deal of information as part of the bargain. But when you use Hangouts to chat with a friend, it feels more private. Google provides the chat platform, but it doesn’t serve ads there, and it shouldn’t have any business reading your messages. Knowing that the company is tracking the links you share, both when you send them and when they’re clicked, might make you think twice about how you communicate.

We will continue investigating the ways that Facebook, Google, Twitter, and others track you, and we’ll keep teaching Privacy Badger new ways to fight back. In the meantime, if you’re a developer and would like to help, check us out on Github.